By Aileen Kara Hudspeth, Technical Director – Braxton-Grant Technologies, Inc. (Broadcom Software Knight)
Providing secure access to employees, customers, partners, and third parties with ZTNA
The ability to provide secure access to employees, customers, partners, and other third parties is essential for any business today. In this blog series, Symantec partner Braxton-Grant will look at why ZTNA is increasingly playing a critical role in providing that access and key factors to consider when selecting and implementing ZTNA solutions.
With return-to-office mandates in flux, the need to provide secure access for employees, customers, and partners has never been greater. The good news is that no matter what your company design looks like today, Zero Trust Network Access (ZTNA) solutions can provide invaluable protection.
ZTNA is a subset of Zero Trust that deals with identity and access management for users who are accessing an organization’s applications. As a Broadcom Knight certified on Symantec ZTNA, I work closely with our customers throughout the various stages of their Zero Trust journey – a journey that always begins with identity.
Never trust, always verify
Secure access can no longer be based on whether a user sits in the office. Instead, policy needs to be built on something more tangible – identity. Do you remember “stranger danger,” a term that we learned as kids? The concept has been applied to network access: Implicit trust has been eliminated – just because I know who you are today and what you’re accessing, doesn’t mean five minutes from now you haven’t been maliciously overtaken, or your system hasn’t been compromised. Zero Trust requires constant awareness and verification: Who are you? Are you still in control of your system? Has your behavior changed?
ZTNA is a component of the Zero Trust journey. As Kyle Black, Security Strategist for Symantec, a division of Broadcom, explained, “ZTNA sits in the middle of the transaction between users and their applications. With ZTNA, users never access the network but go directly to their applications.” The foundation of ZTNA is the principle of least privilege that limits users’ access rights to applications: I only want to provide access to what’s necessary; I want to prevent the opportunity for someone to do something, malicious, intentionally or not, or maybe reach things that are not necessary for their job. Role-based Access Control (RBAC) helps ensure user privileges are not escalated.
Popular use cases for ZTNA include:
Secure remote work: Today’s enterprise users work from anywhere. Organizations need to provide restricted access to corporate internal resources, whether they are working remotely or at headquarters. ZTNA can help validate users and provide the necessary security controls to allow them access only to their assigned resources, even when accessing them from outside the controls of the on-premises security solutions. You may only need to give users access to one application, one system, or one file in the network – not everything. First, identify all the identity sources (contractors, partners, vendors) you need to ingest and any gaps in coverage. What groups of users and identities do I need to build policy on?
Merger/Acquisition: An organization has acquired a new company or subdivision but is not completely ready to merge the two networks because the company is still evaluating its assets. By using ZTNA to onboard your new users, you can uphold the parent corporation’s requirements starting Day One. You now can install security controls without taking away the productivity of a user group or the organization or business unit that you acquired. ZTNA enables you to still figure out who’s who, what groups they’re a part of and what applications they need, and then build in appropriate secure access.
IT consulting: The secure access challenges for consulting are very similar to mergers and acquisitions. For example, an organization may need to allow contractors to access certain files temporarily but doesn’t feel comfortable letting them access the company’s full network environment or giving them a company laptop. The company may also want to prevent that user from unintentionally harming other things and trying to get access to things that they don’t need. ZTNA provides guided time-based access so users can still have what they need to be productive in their jobs. ZTNA can provide restricted secure access, based on policy, and reduces the need for VPNs.
Data compliance: What is it in my organization that I need to protect? Once I identify those assets, data compliance is about enforcing your DLP policies and other protection measures. I need to make sure that the user is effective, but I also need to make sure that my resources are not downloaded to unsecured corporate devices or that only specific things are allowed access by unsecured non-corporate devices. ZTNA ensures that my data, when it moves, is protected, and reduces the risk of a data leak.
ZTNA meets data protection
Although breaches are inevitable, ZTNA can significantly reduce your risk. Yet once I figure out who you are, I next need to determine what data you are accessing: What protection do I need to put around that data? When can that data move? When must it not move? What data should be protected more stringently in certain circumstances than others? In the next article in this series, we’ll explore the importance of data protection and how ZTNA can help your organization.